Users without any project membership can view manual job variables in internal projects

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3319800 by joaxcar on 2025-08-29, assigned to @cmaxim:

Report | How To Reproduce

Report

Summary

Similar to CVE-2025-2246, there is still a slight issue with how variables related to manual jobs are accessed. This is the information in the docs:

warning
Any project member with permissions to run a manual job can retry the job and view the variables that were provided when the job was initially run. This includes:
In public projects: Users with the Developer role or higher.
In private or internal projects: Users with the Guest role or higher.
Consider this visibility when entering sensitive information as manual job variables.

The issue is that all users of the instance have "implicit" guest access to internal projects. That means that even if a user on the instance is not a member of the project, they can still view the values of any manual variable on jobs. It could be that this is how the patch was intented, but the wording Any project member in the docs makes it sound like a user need to get explicit guest access to a project to view these variables. And this is not the case, any user on the instance has implicit guest access and will thus pass this check

    rule { ~public_project & guest }.enable :read_manual_variables
Steps to reproduce
  1. Set up a self hosted instance
  2. Create two users attacker and victim
  3. As victim create a new internal project
  4. Add a .gitlab-ci.yml file in the project with this content
test:  
  script: echo "hi"  
  when: manual

  1. Go to GROUPNAME/PROJECTNAME/-/jobs?statuses=MANUAL&kind=BUILD

  2. Click on the Manual button

  3. Enter a few key and value pairs as variables and run the job

  4. Log in as attacker

  5. Go to YOUR_GITLAB_URL/-/graphql-explorer

  6. Run this query (replace GROUP/PROJECT with your group and project name

query{  
  project(fullPath:"joaxcar-test13/new_ato"){  
    jobs{  
      nodes{  
        name  
        manualVariables{  
          nodes{  
            key  
            value  
          }  
        }  
      }  
    }  
  }  
}
  1. You should see the values of the variables even if you are not a member of the project
What is the current bug behavior?

Any user on the instance can view manual variables on intenal projects

What is the expected correct behavior?

Users should be explicit members to view variable values

Impact

Non members of internal projects can see job manual variables in GraphQL

How To Reproduce

Please add reproducibility information to this section: